Enabling HTTPS using Let’s Encrypt

After Edward Snowden leaked information regarding the full extent of the NSA’s snooping, the Mozilla Foundation (creators of Firefox and other software) started to develop a free, open source way to provide SSL certificates to websites, along with a Certificate Authority, so that everyone who wanted to could enable https on their website without having to pay for it. This is the Let’s Encrypt project.

Https, compared to normal http, ensures that a user’s connection to a website is encrypted and prevents man-in-the-middle attacks. It prevents someone in the middle, for instance a roommate who controls the apartment’s router or a local ISP, from being able to see the details about what a person is doing on a given website. To test this out yourself sometime try using Wireshark to view your packets when you’re entering search terms in Google with http, versus using https. It’s a big difference!

However one barrier to making https more widespread is the expense. For a small personal website, a certificate can cost $16-$20 per year, and for a more busy website or one doing ecommerce across multiple subdomains, the expense can get up to $170 a year or more. To get around this, the Let’s Encrypt foundation is providing a means to get these certificates for free. The program is still in early testing but after several days of frustrating work I finally enabled it on knek-tek.me as well as dagmar.knek-tek.me. The other domains that redirect here (knek-tek.com and knek-tek.net) don’t have it but they don’t need it since anyone visiting those sites gets automatically redirected here, at which point https can be used.

To ensure that https is used whenever possible I highly recommend installing the HTTPS Everywhere plugin for your browser. This tells your browser that if a website offers https, it should be used. Without that plugin some websites will offer https but won’t force it and your browser may default to using the insecure, unencrypted http version.

Currently the certificates created by Let’s Encrypt expire after 3 months, unlike the normal 1 year expiration, and I suspect this is because Let’s Encrypt is still in early testing and they want to make sure that any future security flaws which get discovered are fixed soon by people who have to renew their cert.